----------------------- scenario -----------------------
On the servers -> RH 7.2 with openldap-2.0.21-1
openldap-clients-2.0.21-1
openldap-server-2.0.21-1
openssl-0.9.6b-28
openssl-perl-0.9.6b-28
On the clients -> RH 7.2 with openldap-2.0.21-1
openldap-clients-2.0.21-1
RH 7.3 with openldap-2.0.23-4
openldap-clients-2.0.23-4
----------------------- scenario -----------------------
I'm trying to get myself further on the ldap learning curve here so please
be gentle. Oh if you must be ruff then... Anyway here is the issue:
On the server I have utilize the migration tools to get user and group data
into my ldap database. This went very well after some tinkering. I did a
regeneration of my pem cert with utilizing the Makefile in ssl/cert
subdirectory which creates a key and then self signs it. Then corrected the
permissions and restarted ldap server. Cool so far. However, I don't know
if I understand what is going on with the SSL/TLS stuff.
I think my SSL/TLS stuff is working because I can do the following:
ldapsearch -x -H ldaps://<me-ldap-server> -b 'dc=<my domain>,dc=<com>'
'(uid=<a user>)'
and if I look at 'tcdump -q host <me-ldap-server>' while running the above
command I see that my connection is to/from ldaps (port 636).
However, just running the above command without the '-H
ldaps://<me-ldap-server>' I see (with the above tcpdump command) that my
connection is to/from ldap (port 389). If I put 'HOST
ldaps://<me-ldap-server>' into the /etc/openldap/ldap.conf file and then run
above command (again without the -H stuff) I get a connection error and
tcpdump shows some funky port (sorry cant remember right now, but I though
it said the port was domain).
So one more thing, first I put 'HOST <me-ldap-server>' into the
/etc/openldap/ldap.conf then I tried the following:
ldapsearch -x -ZZ -b 'dc=<domain>,dc=<com>' '(uid=<a user>)'
and a tcpdump (like above) shows to/from ldap (port 389). Hmm... But I did
notice that the data started coming back after a slight delay. So I did the
following 2 commands with the following results:
time ldapsearch -x -b 'dc=<domain>,dc=<com>' '(uid=<a user>)'
real 0m0.255s
and
time ldapsearch -x -ZZ -b 'dc=<domain>,dc=<com>' '(uid=<a user>)'
real 0m1.038s
Yep did it multiple times and picked one that was ave. So it seems that
something else is going on when using -ZZ. Could it be a SSL/TLS encrypted
channel being set up? If I use the pam_ldap to authenticate from my ldap
server how do I make sure that it's done over SSL/TLS?
This got a bit long sorry!
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@;redhat.com?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
